tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Rimov <>
Subject Kind of a wierd security request
Date Tue, 08 Aug 2000 23:15:02 GMT
Hello All,

<FlameProofing Statement>
This may be better directed specifically to the Tomcat Developers.  Please 
correct me if  I'm wrong, please converse with me if you think I might be 
wrong :-)
</FlameProofing Statement>

I just got done reading eWeek's summary on how OpenHack was struck 
down.  The biggest thing that allowed the person that cracked the system to 
penetrate as far as he did was the fact that Perl was running and the 
hacker could run perl scripts with the same permissions as the eCommerce 
that was utilizing perl.

Ok, so what's my point?  Well, because of the servlet engine running on top 
of a JVM, it most likely will allow hackers,  one way or another, to 
execute arbitrary Java code with the same permissions of the servlet 
container.  I'm also concerned about people putting Trojan servlets in the 
system.  Now, of course, a lot of this problem may be mitigated though 
proper permission settings, but who ever really gets it perfect?

So what I'd really like to see is a modification to the Tomcat Class Loader 
that allows (upon an option within the config file) to refuse to load any 
servlet unless the jar/war has been signed by somebody you expect.

Because I'm talking about war files, this should take care of JSP pages 
too, right?  The option, of course, would effectively block anything that 
wasn't packaged in a WAR/JAR file.

Of course, it would be really slick if this could _also_ be done with the 
JVM's default class loader, so no arbitrary classes with a main function 
would be executed unless it was also packaged and signed.  But since that's 
the JVM and this is the Tomcat list, I won't go down that road, and I don't 
even know if its possible.  (I'm very much a newbie to the java environment)

Can anybody comment?  Is this something that could possibly go into the 
Developer's wish-list or is this something that's better done (due to 
library requirements) by spinning off a different project?

Thanks for any input on this!

View raw message